From 0d70c68395f180ad61b6cefedcef9d8d428df46c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 28 Sep 2009 10:13:06 -0400
Subject: Fix aci plugin, enhance aci parsing capabilities, add user group
 support

- The aci plugin didn't quite work with the new ldap2 backend.
- We already walk through the target part of the ACI syntax so skip that
  in the regex altogether. This now lets us handle all current ACIs in IPA
  (some used to be ignored/skipped)
- Add support for user groups so one can do v1-style delegation (group A
  can write attributes x,y,z in group B). It is actually quite a lot more
  flexible than that but you get the idea)
- Improve error messages in the aci library
- Add a bit of documentation to the aci plugin
---
 ipalib/aci.py | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

(limited to 'ipalib/aci.py')

diff --git a/ipalib/aci.py b/ipalib/aci.py
index 3c4b2acb6..88424eecd 100755
--- a/ipalib/aci.py
+++ b/ipalib/aci.py
@@ -24,7 +24,7 @@ import ldap
 # The Python re module doesn't do nested parenthesis
 
 # Break the ACI into 3 pieces: target, name, permissions/bind_rules
-ACIPat = re.compile(r'\s*(\([^\)]*\)+)\s*\(version\s+3.0\s*;\s*acl\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)
+ACIPat = re.compile(r'\(version\s+3.0\s*;\s*acl\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)
 
 # Break the permissions/bind_rules out
 PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE)
@@ -32,9 +32,6 @@ PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE)
 # Break the bind rule out
 BindPat = re.compile(r'([a-zA-Z0-9;\.]+)\s*(\!?=)\s*(.*)', re.UNICODE)
 
-# Don't allow arbitrary attributes to be set in our __setattr__ implementation.
-OBJECTATTRS = ["name", "orig_acistr", "target", "action", "permissions",
-                   "bindrule"]
 ACTIONS = ["allow", "deny"]
 
 PERMISSIONS = ["read", "write", "add", "delete", "search", "compare",
@@ -76,7 +73,7 @@ class ACI:
         aci = ""
         for t in self.target:
             op = self.target[t]['operator']
-            if isinstance(self.target[t]['expression'], list):
+            if type(self.target[t]['expression']) in (tuple, list):
                 target = ""
                 for l in self.target[t]['expression']:
                     target = target + l + " || "
@@ -132,14 +129,17 @@ class ACI:
                 self.target[var]['expression'] = val
 
     def _parse_acistr(self, acistr):
-        acimatch = ACIPat.match(acistr)
-        if not acimatch or len(acimatch.groups()) < 3:
-            raise SyntaxError, "malformed ACI"
-        self._parse_target(acimatch.group(1))
-        self.name = acimatch.group(2)
-        bindperms = PermPat.match(acimatch.group(3))
+        vstart = acistr.find('version')
+        if vstart < 0:
+            raise SyntaxError, "malformed ACI, unable to find version %s" % acistr
+        acimatch = ACIPat.match(acistr[vstart-1:])
+        if not acimatch or len(acimatch.groups()) < 2:
+            raise SyntaxError, "malformed ACI, match for version and bind rule failed %s" % acistr
+        self._parse_target(acistr[:vstart-1])
+        self.name = acimatch.group(1)
+        bindperms = PermPat.match(acimatch.group(2))
         if not bindperms or len(bindperms.groups()) < 3:
-            raise SyntaxError, "malformed ACI"
+            raise SyntaxError, "malformed ACI, permissions match failed %s" % acistr
         self.action = bindperms.group(1)
         self.permissions = bindperms.group(2).replace(' ','').split(',')
         self.set_bindrule(bindperms.group(3))
@@ -150,7 +150,7 @@ class ACI:
 
            returns True if valid
         """
-        if not isinstance(self.permissions, list):
+        if not type(self.permissions) in (tuple, list):
             raise SyntaxError, "permissions must be a list"
         for p in self.permissions:
             if not p.lower() in PERMISSIONS:
@@ -175,7 +175,7 @@ class ACI:
         self.target['targetfilter']['operator'] = operator
 
     def set_target_attr(self, attr, operator="="):
-        if not isinstance(attr, list):
+        if not type(attr) in (tuple, list):
             attr = [attr]
         self.target['targetattr'] = {}
         self.target['targetattr']['expression'] = attr
@@ -211,6 +211,7 @@ class ACI:
 
         returns True if equal, False if not.
         """
+        assert isinstance(b, ACI)
         try:
             if self.name.lower() != b.name.lower():
                 return False
@@ -320,3 +321,6 @@ if __name__ == '__main__':
 
     a = ACI('(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)')
     print a
+
+    a = ACI('(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)')
+    print a
-- 
cgit